The Two-Step Virus Lurks

The media has paid little attention to the Klez virusbut it could prove a lot more dangerous than most people suspect.

There probably isn't a reader of this column who hasn't received the Klez virus or its offspring: Klez.A, Klez.E, Klez.F, or Klez.H. There are a number of interesting aspects to this thing. One is that it sends out a large variety of messages. It spoofs addresses found in address books and usually has an idiotic subject line, such as "Japanese girl versus playboy," or "Look, my beautiful girlfriend," or merely "FW." It even sometimes contains a text message in the Pidgin language, and once in a while the message is about the Klez virus itself, with an attached "fix."

To confuse matters, the virus often comes from the address of a legitimate antivirus company. (To be safe, though, you should never take fixes and updates from e-mail; go to the sites instead.) Most antivirus sites have long essays analyzing this thing. The general consensus is that it is mostly benign since it doesn't go about erasing the hard drive. This seems to be the battle-fatigued opinion of most antivirus companies nowadays.

I disagree. The Klez virus is incredibly dangerous because it marks yet another step in the evolution of virus technology. The payload has a number of different names with different extensions. But what bothers me most is that at least one version of the virus will scan a user's computer for antivirus software and muck it up to the point that the antivirus company will recommend a complete reinstall of its software after the menace is eradicated.

The creators of this software, I believe, are testing the waters for complex two-step viral attacks in the future. These attacks could be in the form of a binary virusone that combines two seemingly harmless strands into something horribly corrupting. The thing about Klez is that it accumulates copies in the attachment folders. Smart users may never trigger the virus, but they may also never erase some of the copies that end up in the e-mail system untouched. I get at least five of these attachments a day.

What if another virus comes along that can activate dormant copies remotely? What if the activation code is part of some completely innocuous systemsuch as an ActiveX control on a Web site or a cookie manager? The plan would be to permeate everything with a benign virus or even code posing as a cookie that nobody cares about.

The possibilities are endless. But the major media have paid little attention to Klez and written it off as a mere nuisance. Meanwhile, I've seen no evidence of anyone tracing Klez's origins. The software could be government-funded for all we know. According to Kaspersky Lab, a Russian antiviral company, the newest H iteration of Klez seems to have broken out most severely in Austria, China, the Czech Republic, and Japan. This makes pinpointing its origin hard, although I would guess that Eastern Europe has a popular compression technology in that part of the world because of its attack on the RAR (Roshal Archive) files.

The two-step concept is nothing new to hackers, though. This is the way many Trojan-based denial-of-service attacks work. You get infected with something seemingly benign that sits on your machine, and then out of the blue, an order is sent to these programs from some central location to initiate a DoS attack. The current iteration could be nothing but a test.

The fact that the virus goes after antivirus software is the most disconcerting aspect to me: Take out the defense before the real attack occurs. Users have to consider the possibility that they are vulnerable no matter what the antivirus software tells them.

There are a couple of things that you should do immediately. First, run one of the numerous free special scanners that are available on nearly all the antivirus Web sites. Kaspersky's site (www.kaspersky.com), for example, has a little scanner called clrav.com that runs in command mode. (Click on About Viruses/Encyclopedia.) Symantec has a similar program called the Klez32 removal tool. I hope these companies continue to highlight these tools on their front pages, which is what the Norway-based newcomer Norman has done with its scanner, which gets rid of any filedormant or activeinfected with Klez and manages to patch its own antivirus scanner if it appears damaged.

Although the antivirus companies shift attention from one virus to another, I harp on Klez for the sheer number of times it has come to me. It's in a league of its own this way, and attention must be paid. I sense something big is coming.

John Dvorak is a columnist for PCMag.com and the host of the weekly TV video podcast CrankyGeeks. His work is licensed around the world. Previously a columnist for Forbes, Forbes Digital, PC World, Barrons, MacUser, PC/Computing, Smart Business and other magazines and newspapers. Former editor and consulting editor for Infoworld. Has appeared in the New York Times, LA Times, Philadelphia Enquirer, SF Examiner, Vancouver Sun. Was on the start-up team for CNet TV as well as ZDTV. At ZDTV (and TechTV) was host of Silicon...
More »